Windows Server 2019 Password Reset

Posted on by Marv

The process for resetting the password of an Administrator user on Windows Server 2019 is more complex then in the past. This is due to new default security rules which cause Windows Defender to block any attempts on privilege escalation in order to execute a Password reset.

Follow the steps below to reset the Password:

1). Reboot into Linux Rescue or a Linux DVD

2). mount /dev/sda1 /mnt/

3). cd /mnt/Windows/System32

4). mv Utilman.exe Utilman.bck

5). cp cmd.exe Utilman.exe

6). cd /mnt/Windows/System32/config

7). cp SYSTEM SYSTEM.bk

8). chntpw -i SYSTEM

9). Hit 9.

10). cd \Control\Terminal Server\WinStations\RDP-Tcp

If it says not found use this instead: cd \ControlSet001\Control\Terminal Server\WinStations\RDP-Tcp

11). ed UserAuthentication

12). Hit 0

13). ed SecurityLayer

14). Hit 0

15). Hit q

16). Hit q

17). Hit y

18). cp SOFTWARE SOFTWARE.bk

19). chntpw -i SOFTWARE

20). Hit 9

21). cd \Microsoft\Windows Defender

22). ed DisableAntiSpyware, then hit 1

23). ed DisableAntiVirus, then hit 1

24). cd Real-Time Protection

25). nv 4 DisableRealtimeMonitoring

26). ed DisableRealtimeMonitoring , then hit 1

27). Hit q

28). Hit q

29). Hit y

30). mv /mnt/Windows/System32/drivers/wd /mnt/Windows/System32/drivers/wd-old

31). Connect with RDP and click on “Ease of Access”

32). cmd window will now show, run the command: net user administrator newpassword

33). Close the cmd window and select the administrator user and login with the new password.

Extra Note:

If you are using Symantec A/V the following setting might also be of help:

chntpw -i SYSTEM

cd \ControlSet001\Services\SRTSP

ed Start

3

This should disable the service to allow for the cmd window to launch properly.

If this doesn’t work you can also try the following:

cd \ControlSet001\Services\SepMasterService

ed start

3

To revert the security changes you just made follow the additional steps below:

1). Go to Control Panel > System > Remote Settings > Checkbox for “Allow connections only from computers running Remote Desktop with Network Level Authentication (recommended)”

2). Go to C:\Windows\System32/

3). Delete Utilman.exe, then rename Utilman.bck back to Utilman.exe

4). Settings > Update & Security > Windows Security > Virus & Threat Detection > Virus & Threat Detection Settings > Turn On.

5). If steps 22 &23 were used then you need to open regedit as follows:

Download psexec from here: http://technet.microsoft.com/en-us/sysinternals/bb896649

Run: psexec -s -i regedit.exe

Then you can set DisableAntiSpyware and DisableAntiVirus back to 0

Make sure to also set them to 0 in \Policies\Microsoft\Windows Defender

  1 person found this article useful

Marv has written 28 articles

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>